Defcon 20 CTF Prequals 2012 – Forensics 300 Writeup

So Defcon 20 CTF Prequals 2012 has finished! As in PlaidCTF, I’d like to say thank you to my teammate, Archie!

Let’s start with the Forensics 300 writeup.

The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.

Let’s start examining the file:


francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data


Looks like the file utility wasn’t able to recognize the type of the file. So let’s inspect it with an hex editor:

So it’s a firmware. That means that it’s time for binwalk, a tool designed to search into binary images for compressed data, filesystems and more.


francisco@sherminator:~/Desktop/binwalk-0.3.9/src$ ./binwalk for300-47106ef450c4d70ae95212b93f11d05d

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------
108           0x6C          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3008436 bytes
983148        0xF006C       PackImg Tag, little endian size: 14690560 bytes; big endian size: 2744320 bytes
983180        0xF008C       Squashfs filesystem, little endian, version 4.0, size: 724610815 bytes, 1470 inodes, blocksize: 0 bytes, created: Sat Mar  6 09:29:04 1993

We have a Squashfs in there, a read-only filesystem that is used on Live CDs and router firmware. We will try to extract that filesystem using firmware-mod-kit:


francisco@sherminator:~/firmware-mod-kit-read-only/trunk$ ./extract-ng.sh for300-47106ef450c4d70ae95212b93f11d05d

After a few minutes, firmware-mod-kit tells us that it finished its job, and that the output  is located at the fmk/ directory.


francisco@sherminator:~/Desktop/fmk$ ls
image_parts  logs  rootfs

There we have the filesystem of the firmware, right in the rootfs directory. Let’s see what can we find there:


francisco@sherminator:~/Desktop/fmk/rootfs$ ls
bin  dev  etc  home  htdocs  lib  mnt  proc  sbin  sys  tmp  usr  var  www

Now let’s go straight to the /home/dlink folder:


francisco@sherminator:~/Desktop/fmk/rootfs/home/dlink$ ls -la
total 12
drwxrwxr-x 2 root root 4096 2012-05-30 18:24 .
drwxrwxr-x 3 root root 4096 2012-05-30 18:20 ..
-rw-r--r-- 1 root root   45 2012-05-30 18:24 key.txt

And finally:


francisco@sherminator:~/Desktop/fmk/rootfs/home/dlink$ cat key.txt
ewe know, the sh33p always preferred Linksys

So the key for this challenge was:  ewe know, the sh33p always preferred Linksys

About these ads

8 thoughts on “Defcon 20 CTF Prequals 2012 – Forensics 300 Writeup

  1. F100: blkls -s f100
    F200: use the deleted 2467 file (retrieved with autopsy):

    stegdetect -s 2 2467trash.jpg
    2467trash.jpg : outguess(old)(*)

    outguess -r -e -k “ddtek” 2467trash.jpg key
    Initalize encoding/decoding tables
    Reading 2467trash.jpg….
    Extracting usable bits: 1793659 bits
    Decode: 12 data after ECC: 4
    Steg retrieve: seed: 297, len: 55614
    Decode: 55614 data after ECC: 29013

    file key
    key: Zip archive data, at least v2.0 to extract

    unzip key
    Archive: key
    inflating: 98753.pdf

    key in PDF!

  2. damn, I spent a few hours playing around with sleuth and autopsy for F100 and the key was under my nose :(

  3. May I ask HOW you knew it was firmware as I struggled on this challenge?
    Is it because of the first bytes, as JPEG’s have ff d8 ff e0, or for other reasons?

    And good write up :)

    • I realized that it was firmware based on two strings that you can see on the screenshot of the hex-editor:

      * “dev=/dev/mtdblock/2 type=firmware”

      * “signature=wrgnd08_dlob_dir815″. If you google for “dir815″ you’ll see that it’s a Dlink router.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s